Skip Navigation

Research Funding

Skip Content Marketing
  • Share this:
  • submit to facebook
  • Tweet it
  • submit to reddit
  • submit to StumbleUpon
  • submit to Google +

Data Security SOP

Lock icon: This link will not work for public visitors.Some links will work for NIAID staff only.

This standard operating procedure (SOP) includes the following sections: Purpose, Procedure, Contacts, and Links.

Purpose

To ensure the protection of personally identifiable, sensitive, or confidential information resulting from NIH-supported research or belonging to the federal government.

Procedure

Grantees, contractors, and NIH staff must protect information systems containing identifiable, sensitive, or confidential data, whether electronic or hard copy.

This requirement pertains to data belonging to the federal government or resulting from NIH-supported research. All awardees and NIH staff must protect these data to prevent release or loss.

Some NIH-supported research is also covered by the Federal Information Security Management Act (FISMA; page 48). FISMA applies to contractors and grantees when the government owns the data.

Investigators, Grantees, Contractors, and Institutions

  • Do not put personally identifiable, sensitive, or confidential information about NIH-supported research or participants on portable electronic devices such as laptops, CDs, or flash drives. If you must use such devices, encrypt your data.
  • Limit access to personally identifiable information through password protection and other means.
  • Transmit research data only when you know the recipient's systems are secure.
  • See if the Federal Information Security Management Act (FISMA) applies to you.
    • FISMA does not apply to most grantees except cooperative agreements where data is transferred directly to the government.
    • FISMA applies when you collect, store, process, transmit, or use information on behalf of any government organization. FISMA applies only when the government owns the data.
    • For questions about whether your data falls under FISMA, contact your Information Systems Security Officer.
  • Understand that even if FISMA does not apply, you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
  • If you provide collected sensitive information to NIAID as a condition of your award, NIAID is responsible for protecting the transfer.
  • In the event of a data security breach, do the following.
    • Follow your institute's policy.
    • Also inform your NIAID program officer and grants management or contracting officer.
    • Your institute will pay expenses to address the breach out of indirect costs.

Peer Reviewers

  • Reviewers can gain access to information by:
    • Logging into IMPAC II for both the meeting folder files and the recruitment phase (application review site only – no files sent automatically)
    • Logging into RSS (proposal review site only – email notices of activities sent only, no files attached)
    • Via SEFT (Secure Email and File Transfer Service). Reviewers get a link to SEFT site – (no files attached)
    • Via Adobe Portfolio. Password protected/encrypted files (including Adobe portfolios, Adobe security envelopes, and other MS office file types) emailed to reviewer
    • CDs (if preferred)
  • If NIAID sends you a CD, use a password to access the CD data. See Accessing a Password-Protected CD: Instructions for Reviewers and Accessing a Password-Protected CD: Instructions for Reviewers (with screenshots).
  • In the event of a data security breach such as a lost CD or loss of other application information, notify your scientific review officer immediately.

Scientific Review Officers

  • Password protect review materials.
  • Emphasize to peer reviewers to immediately report the loss of application information.
  • If you learn of any loss of data, immediately contact NIAID's Information Systems Security Officer. Provide the following details:
    • Study section designation, name, and meeting dates.
    • Your contact information. OER will work primarily with you to resolve the situation.
    • Format of material.
    • Circumstances by which the data was lost.

NIAID Staff

  • Be aware that you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
  • Follow these mandatory guidelines for protecting your equipment:
  • If you attend a study section meeting, do not take any notes that would identify reviewers, and do not discuss individual reviewer comments with investigators.
  • In the event of a data security breach, take the following steps:
    • Tell your supervisor and email NIAID's Information Systems Security Officer. Include details on when the breach occurred, scope of data loss, and possible impact if known.
    • If you lose an NIH-issued laptop or Blackberry, or you suspect loss of personally identifiable information, also inform the NIH Helpdesk within one hour.

Contacts

NIH IT Service Desk, 301-496-4357

NIAID's Information Systems Security Officer

If you have knowledge to share or want more information on this topic, email deaweb@niaid.nih.gov with this link and your message. Thanks for helping us clarify and expand our knowledge base.

Links

Lock icon: This link will not work for public visitors.Maintaining Confidentiality in NIH Peer Review

Lock icon: This link will not work for public visitors.Guide for Identifying Sensitive Information

NIH and HHS Encryption Policies, Guidance, and Tools

Lock icon: This link will not work for public visitors.Protecting the Security of NIH Grant Applications

Secure One HHS - Protecting America's Health and Human Services

Last Updated February 20, 2015

Last Reviewed February 09, 2015